From CSO to CIRO: Taking Charge of Third-Party Risk

Third parties. Most large companies have contracts with tens of thousands or even hundreds of thousands of them. In today’s outsourced economy, companies of any size cannot function without vendors, partners, and contractors. But as recent data breaches prove, these relationships are fraught with risk—risk that must be managed to avoid brand damage, customer churn, and possible lawsuits and fines.

Third-party risk management has become the elephant in the boardroom and executive management desperately needs somebody to take charge. And that somebody is the CSO.

From security to risk management: the new role of the CSO

Threats and regulations have evolved to the point that risk management has become a business priority requiring C-level visibility. As a result, the role of CSO is evolving to that of Chief Information Risk Officer (CIRO). CIROs manage the complete information risk posture of the organization, from the data center, where there is some control, to outsourcing, where there is almost none. Regardless of where corporate data resides, the CIRO needs to understand the information risk and manage that risk to company risk policies.

We talk to hundreds of CSOs/CISOs and the most successful ones have fully taken charge of third-party risk management. These forward-thinking leaders realize that assessing and managing the risk of every supplier in their organization is not a one-person, or even a one-department job—it’s a companywide endeavor.

CSOs/CIROs of the mature companies with whom I work operate on the principle that while they’re accountable for mitigating vendor and partner risk, others in their organization are responsible for the day-to-day tasks.

Solving the scalability problem

Third-party risk management is not just an IT function. CSOs who “own” risk management must elevate their sights beyond their department to understand the full scope of their new role. The increasing investment in mission-critical applications by departments outside of IT—so-called shadow IT—is making the problem worse. If you don’t know about it, you can’t manage it.

Of the tens of thousands of vendors, partners, and contractors an organization works with, only a small percentage are within IT. There are, in fact, many others—HVAC suppliers, custodial, electricians, maintenance, and so on—that all have to be accounted for. We know too well how devastating it can be to overlook seemingly innocuous vendors.

With a new focus on vendor risk management, CSOs are finding their current methods ineffective. Why would you punish your smart people by making them perform the same risk assessments on thousands of third parties? Hiring additional employees is impractical, the skill set is scarce, and you’ll drown under the weight of your own third-party risk monitoring.

It’s time to abandon one-off techniques and innovate both in your organization and as an industry. There must be a move to automate and standardize the mundane, repetitive tasks of assessing and managing third party risk. Doing so frees your people to be strategists and risk analysts, not data gatherers. It frees them to be innovators.

The multi-dimensional aspects of risk

The most effective CIROs balance finite resources against an organization’s risk tolerance. They assign the appropriate level of due diligence, such as attest controls or onsite validation, based on each vendor’s level of inherent risk—the exposure from a third-party relationship. Inherent risk is measured by determining contract exposure risk and business profile risk.

Contract exposure risk examines the type of service a third party provides, and how strategic that service is to the primary organization. It includes the following components:

Strategic risk: How significant is the monetary value of the third-party relationship?

Reputation risk: Would a failure or security breach at this third party cause embarrassment or other reputational harm to the organization?

Operational risk: Would a failure of the third party to deliver impair the organization’s ability to provide product or services to its customers?

Regulatory or contract requirements: Do regulatory or contractual requirements prevent, restrict, or require a level of security or privacy of the data we are sharing with the third-party?

Business profile risk helps an organization understand the risk of doing business with a particular third party. This includes examining factors such as:

Financial status: Is the third party a credit risk or has it declared bankruptcy?

Stability: How long have they been in business?

Legal status: Have they faced criminal or class-action lawsuits? Have they been breached?

Location: Are they located in a high-risk country? Is there political stability?

Regulatory status: How tightly regulated is their industry?

Once the inherent risk has been evaluated, the CSO can determine the appropriate level of due diligence that matches the services being provided, size, and complexity of the third party. Then a review is completed to ensure the third party meets the risk policy within the company. The third party must remediate any significant risks identified in the review in a timely manner. If the third party represents significant risk or refuses to meet the company’s security requirements, the CSO informs the procurement and the internal business unit, and recommends withholding payment—or in extreme cases move to another provider—until the issues are resolved.

A call for innovation

CSOs need to meet the challenge of third-party risk management head on. It’s time to execute on a larger risk strategy: managing the risk posture for your organization. This job is bigger than any single department—for any single company, in fact. Security and risk professionals across all industries must unite, accept standardized security assessment reports, and create innovative solutions to address the growing threat of vendor risk. As they do so, best practices for automating and standardizing processes will emerge, freeing companies to focus on growth and profitability—and freeing the CSO and the security team to focus on analyzing and mitigating critical-level risks.

About the Author: James Christiansen is Vice President of information risk management at Optiv and part of company’s Office of the CISO, which brings value to the security executive community by helping them think differently about their strategy.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.